1. Distributed Trust Relationship & Polynomial-based Key Generation for IEEE 802.16m Networks IEEE 802.16 Presentation Submission Template (Rev. 9) Document Number: IEEE S802.16m-08/879 Date Submitted: 2009-09-09 Source: Ranga ReddyE-mail:Ranga.Reddy@us.army.mil US Army Bin XieE-mail:routingp@gmail.com Carnegie Mellon University Andrew DeCarloE-mail:aDeCarlo@infoscitex.com Infoscitex Corporation * http://standards.ieee.org/faqs/affiliationFAQ.html Venue: MAC/Security; in response to TGm Call for Contributions and Comments 802.16m-08/033 for Session 57 Base Contribution: IEEE C80216m-08/879, or latest revision Purpose: Review contributions, discussion, and consider incorporation of text into IEEE 802.16m SDD Notice: This document does not represent the agreed views of the IEEE 802.16 Working Group or any of its subgroups. It represents only the views of the participants listed in the “Source(s)” field above. It is offered as a basis for discussion. It is not binding on the contributor(s), who reserve(s) the right to add, amend or withdraw material contained herein. Release: The contributor grants a free, irrevocable license to the IEEE to incorporate material contained in this contribution, and any modifications thereof, in the creation of an IEEE Standards publication; to copyright in the IEEE’s name any IEEE Standards publication even though it may include portions of this contribution; and at the IEEE’s sole discretion to permit others to reproduce in whole or in part the resulting IEEE Standards publication. The contributor also acknowledges and accepts that this contribution may be made public by IEEE 802.16. Patent Policy: The contributor is familiar with the IEEE-SA Patent Policy and Procedures: and.http://standards.ieee.org/guides/bylaws/sect6-7.html#6http://standards.ieee.org/guides/opman/sect6.html#6.3 Further information is located at and.http://standards.ieee.org/board/pat/pat-material.htmlhttp://standards.ieee.org/board/pat

2. Introduction Recent emergence of the IEEE 802.16j [2] and work on relaying within the 16m working group [3] advocate the incorporation of Relay Stations (RSs) into BWA networks. RSs add multi-hop relaying into BWA networks so that a SS or MS is able to connect to a BS in a multi-hop fashion, extending the coverage/capacity of the BS. Like the MS, the RS may have the capability to be mobile and the RS’s mobility is determined by application scenarios. However, due to mobility, networks with multi-hop relaying functionality need to have adequate built-in security to support network deployments with dynamic topologies before they can become widely acceptable. New system vulnerabilities may become exploitable.

3. Potential Vulnerabilities & Solution New system vulnerabilities may become exploitable: –An adversary may attack the network by redirecting the SS’s connection towards a wrong destination. –The attacker may also masquerade as a genuine RS/BS to launch a variety of mobility attacks, such as registration poisoning, and bogus handover. These mobility attacks drastically degrade the efficiency of packet forwarding, lower the packet delivery rate, or may degrade the network connectivity. The proposed Distributed Trust Relationship (DTR) and Polynomial-based key generation are suggested as a mechanism to enhance the security of these networks and ensure robust deployments where the BWA network topology is dynamically changing.

4. Distributed Trust Relationship SAs are used to maintain the security state relevant to a connection, but such SAs are hopwise without the flexibility in terms of mobility. DTR can be used to extend the 802.16 standard to support secure multi-hop transmission in a dynamic topology. In this case, security authentication and confidentiality build in a distributed manner. Figure 1 illustrates a example that RS1 newly attaches to RS2 and accordingly changes its security attachment to RS2.

5. Distributed Trust Relationship – Figure 1

6. Polynomial-based Key Generation (1/4) Polynomial-based key generation is an approach where an authorized server distributes a shared secret to a set of nodes so each node can compute a shared key for secure connection with every other node. In other words, once the node has a polynomial function, every entity (i.e., BS/RS/subscriber station) can compute a shared secret key with another entity by only exchanging their Ids. The theoretical analysis and its robustness of such an approach are studied in [5] and [6].

7. Polynomial-based Key Generation (2/4) Suppose there is a k-degree bivariate polynomial, where coefficients a ij (0 ≤ i, j ≤ k) which is defined by: –(1) The polynomial in equation (1) is symmetric, in that: –(2) Therefore, two entities evaluate the polynomial function by using their own IDs (i.e., x) and the peer ID (i.e., y) respectively, then they yield the same value (i.e., the shared key).

8. Polynomial-based Key Generation (3/4) Each node (BS/RS/SS) has a unique ID. Let's consider example with two RSs, RS i and RS j. RS j calculates its' pairwise key K MRj-MTi by: –(3) Similarly, RS i does the same: –(4)

9. Polynomial-based Key Generation (4/4) The bivariate polynomial's symmetric property means that both RS's have established a pair-wise key by two independent calculations This method is helpful in establishing keying material for a group of nodes and is resilient to mobility. –If # nodes leaving group < the degree of the polynomial, then re- keying is not necessary –If # nodes leaving group > the degree of polynomial, then we establish two polynomials with overlapping liftetimes when groups are formed More work is needed to determine optimal polnyomials that can be used. One method is for the polynomial to reflect network hierarchy. Selection of final algorithms for polynomial generation is FFS.

10. Text Proposal (1/3) [Insert the following subsection into Section 12] 12.x Dynamic Creation & Mapping of Security Associations [Insert the following subsection into Section 12.x Dynmaic Creation & Mapping of Security Associations] 12.x.1 Dynamic Creation & Mapping of Group Security Associations [Insert the following text into subsection 12.x.1] A distributed trust relationship (DTR) model is used to establish SAs for groups, where mobility can have a dynamic effect on group membership. An example illustration of the DTR model is shown in Figure 1. [Insert Figure 1 from Section 2.1 of C80216m-08/879r1] Figure 1 Figure 1 illustrates a example that RS1 attaches to RS2 and changes its security attachment to RS2. Considering that RS1 has an SA (i.e., SA5 in Figure 1) with the authentication server that can only be accessed by the BS, a discovery of trustworthy infrastructure enables RS1 to construct an SA with RS2 as shown in Figure 1. If RS2, RS3, and BS1 have been mutually authenticated with other, then the mutual authentication process can be carried out between RS1 and RS2. From a logical viewpoint: IF (SA3 && SA2 && SA1 && SA6) THEN SA5 should be true. In the same way, we can have SA8 to support the connection request from the MS after verifying its credential. DTR establishment provides a procedure from which SAs for groups of stations can be created dynamically and on-the-fly.

11. Text Proposal (2/3) [Insert the following subsection into Section 12] 12.y Key Derivation [Insert the following subsection into Section 12.y Key Derivation] 12.y.1 Group KEK and TEK Derivation [Insert the following subsection into Section 12.y.1 Group KEK and TEK Derivation] In order to facilitate generation of keying material on a group basis an identity (ID)-based pair-wise key establishment approach using bi-variate polynomial-key generation mechanism shall be used. The polynomial-key generating algorithm only involves linear combination with low computational overhead, facilitating re-keying in instances where there is node mobility and dynamic group membership. Polynomial-based key generation is an approach where an authorized server distributes a shared secret to a set of nodes so each node can compute a shared key for secure connection with every other. In other words, once the node has a polynomial function, every entity (i.e., BS/RS/subscriber station) and can compute a shared secret key with any other entity by only exchanging their IDs.

12. Text Proposal (3/3) In mobility scenarios there are two cases to consider, when nodes leave a set and when a new node joins a set. When a member node of the set leaves re-keying is not immediately necessary. Re- keying is only needed if the number of nodes that leave the set is < t, where tis the degree of the polynomial function, because every pair of pairwise keys is independent of the other keys. However, when a new node tries to join the set, a new shared secret must be distributed to the group. This is mitigated by having overlapping lifetimes for the old group key and the new group key, as the shared secret (i.e. polynomials) used to generate those keys is different for each group. Simply put, old group members can use the old key between themselves, while the new group members must use the new key. More work is needed to determine which polynomial generation algorithms are optimal. One option is for the polynomials to mirror the hierarchical nature of the network topology. Other options may be possible, but final selection is FFS.

13. References [1] "Draft Standard for Local and Metropolitan Area Networks, Part16: Air Interface for Broadband Wireless Access Systems", IEEE P802.16 Rev2/D6, July 2008. [2] "Draft Amendment to IEEE Standard for Local and Metropolitan Area Networks, Part16: Air Interface for Fixed and Mobile Broadband Wireless Access Systems - Multihop Relay Specification", IEEE P802.16j/D6, July 2008. [3] Hamiti, Shkumbin, "The Draft IEEE 802.16m System Description Document", IEEE 802.16m- 08/003r4, July 2008. [4] Johnston, D. and Walker, J., "Overview of IEEE 802.16 Security," IEEE Security and Privacy Magazine, vol. 2, no. 3, pp. 40-48, May-June 2004. [5] Blundo, C. et al., “Perfectly-Secure Key Distribution for Dynamic Conferences,” Lecture Notes in Computer Science, 740:471–486, 1993. [6] Gupta, Ananya, et al., “Decentralized Key Generation Scheme for Cellular-based Wireless Ad hoc Networks”, Elsevier Journal of Parallell and Distributed Computing, Volume 67, Issue 9, pp. 981-991, 2007.